Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 00:13

General

  • Target

    13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll

  • Size

    160KB

  • MD5

    7d2a383d85c560e3598dbc7f0b41bf38

  • SHA1

    6610aca6cb5adfc76895b183540e787ce3ef5725

  • SHA256

    13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8

  • SHA512

    ce397605d064d728e78018d5be310982b552bccff7b93cf80e243bb3f1b186f64ccca48bdee093a9329cb39cbacc47b9bd4e617d4337201ec26e52ea5f73e28c

  • SSDEEP

    3072:5ibTTp78CcWfJkicFUQRIpvKQecm8ABDNHX:KT14pU8IpvKQJaDxX

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2348
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 204
                6⤵
                • Program crash
                PID:228
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4200
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4200 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1924
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 612
          3⤵
          • Program crash
          PID:340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2752 -ip 2752
      1⤵
        PID:4500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2348 -ip 2348
        1⤵
          PID:1592

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe

          Filesize

          120KB

          MD5

          186a45a9b3189fdb56d59479d6f5fa85

          SHA1

          8be5be86d5aba4b3e6f4af077a25bdc9d1de6610

          SHA256

          bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743

          SHA512

          bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7

        • C:\Program Files (x86)\Microsoft\WaterMark.exe

          Filesize

          120KB

          MD5

          186a45a9b3189fdb56d59479d6f5fa85

          SHA1

          8be5be86d5aba4b3e6f4af077a25bdc9d1de6610

          SHA256

          bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743

          SHA512

          bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          fceed7a5f76725fb398c6a91ff552899

          SHA1

          237aec000ae7c7c35a639664b1ad6c0d842a0749

          SHA256

          2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

          SHA512

          adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          61725f56edccca2ace5eff6848ae843d

          SHA1

          314e17d27be644cd78e5b5ea39da5bfc78a2e0ca

          SHA256

          460bb6c4239ef8d60a9e71f6c13f1d78cfa1b35e66b8db53fdb8117bc5ba352f

          SHA512

          449a33e9f296ae6396a51e92d6eb5cf1157b8322c59d072079743b73f337dd84b224555076f37649d2d315dde70b534a419cb25c4dc8b25d0bec23141ec7fe7e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          53ea206c8383a4ed299cbf21daf3315f

          SHA1

          cc0259c4fc55b017e9cc2790b3e6b9cb4dcca7c2

          SHA256

          946a77c1ebcdd4ed52e35f3c59bd08b5458a30c41329523f6b71c1ee6da05f87

          SHA512

          fec96cbff7b5e372a2b43fdfc3024ad0c3c871605c57a1bd04986696f84b8a0c7df0ccfa1fa97878edaf13a64321a2db86006b76d014f0f582b421e5b8692216

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          53ea206c8383a4ed299cbf21daf3315f

          SHA1

          cc0259c4fc55b017e9cc2790b3e6b9cb4dcca7c2

          SHA256

          946a77c1ebcdd4ed52e35f3c59bd08b5458a30c41329523f6b71c1ee6da05f87

          SHA512

          fec96cbff7b5e372a2b43fdfc3024ad0c3c871605c57a1bd04986696f84b8a0c7df0ccfa1fa97878edaf13a64321a2db86006b76d014f0f582b421e5b8692216

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1ED8857B-490B-11ED-AECB-4A8324823CC0}.dat

          Filesize

          5KB

          MD5

          b15b25cd88ebc7e3d55216133a946883

          SHA1

          bdb2baf2c639ad5ff7a7675f25caea48f607ae78

          SHA256

          b89a337cd087eec5cdeb590288d36aa3105e6c276bff916bf6a9aef5a00ee507

          SHA512

          a831096a4ffbb8bdfdeb79ae70881495d1ba176d28580ed5a0220cd394066292581da51daa23eb9af55794fdc767d2dd9570e2d1d68763b5bab354df0eb204c8

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1EE210CD-490B-11ED-AECB-4A8324823CC0}.dat

          Filesize

          5KB

          MD5

          0b2c91963901391a6b3994dfd42da28f

          SHA1

          8044168df1893138df3effd3f11bc63949c37804

          SHA256

          fb462217d5a505cbf4a81212ab2feb4a15bf85430a67dc94460b0e6100c1a57d

          SHA512

          5b73598b8c91cdd438518e4e2c804dee15081293c6a1424f3e21a3313f36597545c72e13c438610e3b30486c966e2f6008d04d9c009b7571c5c90af5c37884da

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          120KB

          MD5

          186a45a9b3189fdb56d59479d6f5fa85

          SHA1

          8be5be86d5aba4b3e6f4af077a25bdc9d1de6610

          SHA256

          bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743

          SHA512

          bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          120KB

          MD5

          186a45a9b3189fdb56d59479d6f5fa85

          SHA1

          8be5be86d5aba4b3e6f4af077a25bdc9d1de6610

          SHA256

          bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743

          SHA512

          bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7

        • memory/1588-148-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1588-149-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1588-144-0x0000000000540000-0x0000000000566000-memory.dmp

          Filesize

          152KB

        • memory/1588-145-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/2752-136-0x000000006D080000-0x000000006D0A8000-memory.dmp

          Filesize

          160KB

        • memory/4468-138-0x0000000002020000-0x0000000002046000-memory.dmp

          Filesize

          152KB

        • memory/4468-137-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB